You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/09/19 09:12:58 UTC
[GitHub] [druid] adarshsanjeev opened a new pull request, #13119: Suppress Calcite CVE
adarshsanjeev opened a new pull request, #13119:
URL: https://github.com/apache/druid/pull/13119
The vulnerability is in a builtin function in Calcite, EXTRACT_VALUE, which is not exposed in the Druid console, so druid should be unaffected.
- Suppress calcite CVE.
<hr>
<!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist below are strictly necessary, but it would be very helpful if you at least self-review the PR. -->
This PR has:
- [x] been self-reviewed.
- [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] kfaraz commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
kfaraz commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r976203231
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
+ ]]></notes>
+ <!--
+ We do not expose any of the built-in functions related to this CVE
+ -->
+ <cve>CVE-2022-39135</cve>
+ </suppress>
+
+ <suppress>
+ <!-- calcite-core-1.21.0.jar -->
+ <notes><![CDATA[
+ file name: calcite-core-1.21.0.jar
+ ]]></notes>
+ <!--
+ We do not expose any of the built-in functions related to this CVE
Review Comment:
```suggestion
We do not expose any of the SQL operators that were found vulnerable in this CVE.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] kfaraz commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
kfaraz commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r976198233
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
Review Comment:
The vulnerability is in calcite-core. Does it need to be suppressed for avatica-server too?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] kfaraz commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
kfaraz commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r976200451
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
Review Comment:
I don't think so. Could you try running the security check without the extra suppression?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] abhishekagarwal87 merged pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
abhishekagarwal87 merged PR #13119:
URL: https://github.com/apache/druid/pull/13119
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] adarshsanjeev commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
adarshsanjeev commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r976199702
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
Review Comment:
I believe calcite is used by avatica server too, wouldn't it need to be suppressed separately?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] adarshsanjeev commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
adarshsanjeev commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r977457238
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
+ ]]></notes>
+ <!--
+ We do not expose any of the built-in functions related to this CVE
+ -->
+ <cve>CVE-2022-39135</cve>
+ </suppress>
+
+ <suppress>
+ <!-- calcite-core-1.21.0.jar -->
+ <notes><![CDATA[
+ file name: calcite-core-1.21.0.jar
+ ]]></notes>
+ <!--
+ We do not expose any of the built-in functions related to this CVE
Review Comment:
Changed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] kfaraz commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
kfaraz commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r976200451
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
Review Comment:
I don't think so. Could you try running the vulnerability check without the extra suppression?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] abhishekagarwal87 commented on a diff in pull request #13119: Suppress Calcite CVE
Posted by GitBox <gi...@apache.org>.
abhishekagarwal87 commented on code in PR #13119:
URL: https://github.com/apache/druid/pull/13119#discussion_r978509295
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -632,4 +632,26 @@
<cve>CVE-2022-31197</cve>
</suppress>
+ <suppress>
+ <!-- avatica-server-1.17.0.jar -->
+ <notes><![CDATA[
+ file name: avatica-server-1.17.0.jar
Review Comment:
the failure is being reported for `avatica-server` as well.
```
[ERROR] ----------------------------------------------------
[ERROR] .NET Assembly Analyzer could not be initialized and at least one 'exe' or 'dll' was scanned. The 'dotnet' executable could not be found on the path; either disable the Assembly Analyzer or add the path to dotnet core in the configuration.
[ERROR] ----------------------------------------------------
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.0.4:aggregate (default-cli) on project druid:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] avatica-server-1.17.0.jar: CVE-2022-39135(9.8)
[ERROR] calcite-core-1.21.0.jar: CVE-2022-39135(9.8)
[ERROR]
[ERROR] See the dependency-check report for more details.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org